distinguish between IPv4 and IPv6

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

distinguish between IPv4 and IPv6

Walter H.
Hello,

is there a way, that I can do something like

if ( dst is IPv4 ) go direct
if ( dst is IPv6 ) use parent proxy xxx

The reason for my question, I'm using a IPv6-in-IPv4 tunnel,
and it would make sense to forward all traffic going to IPv6 to squid
running on tunnel end;

Thanks,
Walter



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: distinguish between IPv4 and IPv6

Amos Jeffries
Administrator
The dst ACL type accepts the special value of "ipv4". You can use that and the "!" operator to split traffic.

However, please be aware dst is not very reliable until *after* the outgoing connection has been created, and we are still finding some access checks that do not use it correctly. YMMV.

Amos

-------- Original message --------
From: "Walter H."
Date: Tue, 12 Jan 2021, 03:19
Hello,

is there a way, that I can do something like

if ( dst is IPv4 ) go direct
if ( dst is IPv6 ) use parent proxy xxx

The reason for my question, I'm using a IPv6-in-IPv4 tunnel,
and it would make sense to forward all traffic going to IPv6 to squid
running on tunnel end;

Thanks,
Walter



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: distinguish between IPv4 and IPv6

Eliezer Croitoru-3

The detection of an IPV6 available DST can be determined by DNS and external ACL helper.

It will “slow” down the first couple bytes of the connection but can be much more reliable then the basic “dst” acl.

The basic test would be something like:

nslookup -type=aaaa www.squid-cache.org -timeout=10 |grep -v '#53'|grep Address:|wc -l

 

if the wc -l gt 0 then try to use IPV6.

 

I believe it’s pretty simple and the main issue is that if a service advertises unreachable IPV6 address.

It can be either because of network misconfiguration or FW or misconfigured DNS.

I have seen all of the above happen in production services in the last year.

 

I can write a helper for this if required.

 

Eliezer

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: [hidden email]

Zoom: Coming soon

 

 

From: squid-users <[hidden email]> On Behalf Of ?Amos Jeffries?
Sent: Monday, January 11, 2021 10:10 PM
To: Walter H. <[hidden email]>; [hidden email]
Subject: Re: [squid-users] distinguish between IPv4 and IPv6

 

The dst ACL type accepts the special value of "ipv4". You can use that and the "!" operator to split traffic.

 

However, please be aware dst is not very reliable until *after* the outgoing connection has been created, and we are still finding some access checks that do not use it correctly. YMMV.

 

Amos


-------- Original message --------
From: "Walter H."
Date: Tue, 12 Jan 2021, 03:19

Hello,

is there a way, that I can do something like

if ( dst is IPv4 ) go direct
if ( dst is IPv6 ) use parent proxy xxx

The reason for my question, I'm using a IPv6-in-IPv4 tunnel,
and it would make sense to forward all traffic going to IPv6 to squid
running on tunnel end;

Thanks,
Walter



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: distinguish between IPv4 and IPv6

Walter H.
Hello,

I did something different, that prevents using the IPv6 of the tunnel device als source address;
(a general solution not just squid)

Walter

On 11.01.2021 21:29, Eliezer Croitoru wrote:

The detection of an IPV6 available DST can be determined by DNS and external ACL helper.

It will “slow” down the first couple bytes of the connection but can be much more reliable then the basic “dst” acl.

The basic test would be something like:

nslookup -type=aaaa www.squid-cache.org -timeout=10 |grep -v '#53'|grep Address:|wc -l

 

if the wc -l gt 0 then try to use IPV6.

 

I believe it’s pretty simple and the main issue is that if a service advertises unreachable IPV6 address.

It can be either because of network misconfiguration or FW or misconfigured DNS.

I have seen all of the above happen in production services in the last year.

 

I can write a helper for this if required.

 

Eliezer

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: [hidden email]

Zoom: Coming soon

 

 

From: squid-users [hidden email] On Behalf Of ?Amos Jeffries?
Sent: Monday, January 11, 2021 10:10 PM
To: Walter H. [hidden email]; [hidden email]
Subject: Re: [squid-users] distinguish between IPv4 and IPv6

 

The dst ACL type accepts the special value of "ipv4". You can use that and the "!" operator to split traffic.

 

However, please be aware dst is not very reliable until *after* the outgoing connection has been created, and we are still finding some access checks that do not use it correctly. YMMV.

 

Amos


-------- Original message --------
From: "Walter H."
Date: Tue, 12 Jan 2021, 03:19

Hello,

is there a way, that I can do something like

if ( dst is IPv4 ) go direct
if ( dst is IPv6 ) use parent proxy xxx

The reason for my question, I'm using a IPv6-in-IPv4 tunnel,
and it would make sense to forward all traffic going to IPv6 to squid
running on tunnel end;

Thanks,
Walter



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: distinguish between IPv4 and IPv6

Eliezer Croitoru-3

Can you share this solution of yours?

These days it’s good to know about any piece of IPv4 vs/with IPv6 stack solutions.

 

Eliezer

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: [hidden email]

Zoom: Coming soon

 

 

From: squid-users <[hidden email]> On Behalf Of Walter H.
Sent: Tuesday, January 12, 2021 7:24 PM
To: [hidden email]
Subject: Re: [squid-users] distinguish between IPv4 and IPv6

 

Hello,

 

I did something different, that prevents using the IPv6 of the tunnel device als source address;

(a general solution not just squid)

 

Walter

 

On 11.01.2021 21:29, Eliezer Croitoru wrote:

The detection of an IPV6 available DST can be determined by DNS and external ACL helper.

It will “slow” down the first couple bytes of the connection but can be much more reliable then the basic “dst” acl.

The basic test would be something like:

nslookup -type=aaaa www.squid-cache.org -timeout=10 |grep -v '#53'|grep Address:|wc -l

 

if the wc -l gt 0 then try to use IPV6.

 

I believe it’s pretty simple and the main issue is that if a service advertises unreachable IPV6 address.

It can be either because of network misconfiguration or FW or misconfigured DNS.

I have seen all of the above happen in production services in the last year.

 

I can write a helper for this if required.

 

Eliezer

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: [hidden email]

Zoom: Coming soon

 

 

From: squid-users [hidden email] On Behalf Of ?Amos Jeffries?
Sent: Monday, January 11, 2021 10:10 PM
To: Walter H. [hidden email]; [hidden email]
Subject: Re: [squid-users] distinguish between IPv4 and IPv6

 

The dst ACL type accepts the special value of "ipv4". You can use that and the "!" operator to split traffic.

 

However, please be aware dst is not very reliable until *after* the outgoing connection has been created, and we are still finding some access checks that do not use it correctly. YMMV.

 

Amos


-------- Original message --------
From: "Walter H."
Date: Tue, 12 Jan 2021, 03:19

Hello,

is there a way, that I can do something like

if ( dst is IPv4 ) go direct
if ( dst is IPv6 ) use parent proxy xxx

The reason for my question, I'm using a IPv6-in-IPv4 tunnel,
and it would make sense to forward all traffic going to IPv6 to squid
running on tunnel end;

Thanks,
Walter

 


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users